System and method for detecting malicious links in electronic messages

Abstract

According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

Description

RELATED APPLICATIONS[0001]This application is a continuation of U.S. patent application Ser. No. 15 / 083,171 filed Mar. 28, 2016, now U.S. Pat. No. 9,888,019 issued Feb. 6, 2018, which is a continuation of U.S. patent application Ser. No. 13 / 945,394 filed on Jul. 18, 2013, now U.S. Pat. No. 9,300,686 issued Mar. 29, 2016, the entire contents of which are incorporated by reference herein.FIELD OF THE INVENTION[0002]Embodiments of the present invention relate generally to malware detection. More particularly, embodiments of the invention relate to detecting malicious links in electronic messages.BACKGROUND[0003]Malicious software, or malware for short, may include any program or file that is harmful by design to a computer. Malware includes computer viruses, worms, Trojan horses, adware, spyware, and any programming that gathers information about a computer or its user or otherwise operates without permission. The owners of the computers are often unaware that these programs have been ...

AI Technical Summary

Benefits of technology

The patent text describes a method for detecting malicious links in electronic messages, such as emails, to prevent malicious software from infecting computers. The method involves analyzing network traffic to identify suspicious content and verify if it is malicious. This approach can detect various types of malware and reduce false positives, which can interfere with network content or email. The method can also be used in conjunction with other methods, such as anti-virus scanning and virtual environments, to improve malware detection.

Problems solved by technology

Malicious software, or malware for short, may include any program or file that is harmful by design to a computer.

The owners of the computers are often unaware that these programs have been added to their computers and are often similarly unaware of their function.

Furthermore, malicious content may exist in files contained in a computer memory or storage device, having infected those files through any of a variety of attack vectors.

Unfortunately, by the time malware is detected by the scanning software, some damage on the computer or loss of privacy may have already occurred, and the malware may have propagated from the infected computer to other computers.

Additionally, it may take days or weeks for new signatures to be manually created, the scanning signature library updated and received for use by the scanning software, and the new signatures employed in new scans.

Moreover, anti-virus scanning utilities may have limited effectiveness to protect against all exploits by polymorphic malware.

Dealing with false positives in malware detection may needlessly slow or interfere with download of network content or receipt of email, for example.

Images